This is Lukepuplett's Typepad Profile.
Join Typepad and start following Lukepuplett's activity
Join Now!
Already a member? Sign In
Recent Activity
Websites I've designed have used the technique Oskar describes to make a canonical string from data about the client, which is hashed to make a more individual session key. It works. A hacker would need to fake a few details about a customer's active session to steal it. It's enough to not be the lowest hanging fruit. HTTPS wouldn't be too much of a pain, except for maybe upgrading to a NIC that has full TCP IP and SSL chimney offload to accelerate it, and some possible problems with mixed HTTP/HTTPS content on the same page (ads), and that's probably the biggest barrier to wide-scale SSL adoption. Luke
Toggle Commented Nov 15, 2010 on Breaking the Web's Cookie Jar at Coding Horror
Lukepuplett is now following The Typepad Team
Nov 15, 2010